Guernsey retains its EU adequacy, as expected

The post-Brexit regulatory landscape continues to raise challenges and jurisdictional arbitrage, while some areas still maintain consistency and stability. The recent confirmation from the European Commission that 11 jurisdictions had retained their ‘adequacy’ status from a data protection perspective has left many breathing a sigh of relief. All three of the Crown Dependencies, Guernsey, Jersey and the Isle of Man, have retained the coveted status.

Despite ongoing concerns about international data transfers and the effectiveness of existing safeguards, the ‘adequacy’ status ensures that data flows to these jurisdictions can continue as they have done for years, without additional requirements. In the data protection world, ‘adequate’ or more specifically ‘adequacy’ is a much sought-after status afforded to a small, but growing number of jurisdictions.

The confirmation of Guernsey's 'adequacy' status by the European Commission on 15 January 2024 was widely celebrated. Alongside our fellow Crown Dependencies of Jersey and the Isle of Man, the report means that the flows of personal data required to facilitate business in today’s digital economy can continue as they have done for many years, without additional requirements. It also follows the UK government’s decision in July 2023 confirming Guernsey’s ‘adequacy’ status for law enforcement data transfer purposes.

Why adequacy is vital for Guernsey

Guernsey has a long history as an offshore international financial centre, known for its stability, robust approach to compliance and good governance. The financial services industry contributes significantly to the island’s GDP and is the major employer outside of the public sector. Guernsey’s ability to service a global client base in an increasingly digital marketplace is vital to maintaining its success, alongside facilitating the flow of capital across the globe. As such, there is no sense of underachievement; rather, it is a validation of the high standards being implemented and recognition that ‘trust’ plays a vital part in today’s remote economy.

Importantly, it is also recognition of the hard work carried out by the States of Guernsey’s team (led by the Head of Data Protection, Callie Loveridge) and the collaborative approach adopted through liaison with industry working groups to develop and finalise evolutionary legislation in a challenging timeframe.

Since GDPR's adoption in 2016, Guernsey rapidly developed policies and legislative frameworks equivalent to GDPR. This led to the Data Protection (Bailiwick of Guernsey) Law, 2017 coming into force on the same day GDPR was enforced, 25 May 2018. Guernsey’s previous legislation dated back to 2001 and as such required supplementing to meet the GDPR standards, albeit the fundamental principles remained the same. The new enforcement powers of the local regulator in particular provided ’teeth’ to the requirements under the law.

As a piece of legislation touching all aspects of island life, one might anticipate that support for it would be immediate and overwhelming. As one of the islands occupied by the Nazi army during the Second World War, memories of the misuse of personal data to identify individuals for deportation provide a stark reminder of the importance of safeguarding such data. Therefore, it was perhaps unsurprising that the law did not face any substantive opposition.

The 'human' factor, essential for stable and competitive data flows, was consistently promoted by former Data Protection Commissioner Emma Martins and the ODPA team, fostering trust and business growth. Having recently finished her term of office, Emma leaves a strong legacy for the new incumbent Brent Homan, to progress. Homan brings with him a wealth of experience from Canada, such that the future of the regime and focus on the ‘human factor’ are in good hands.

The business case for achieving equivalence was also clear and obvious - the close ties to the UK and Europe are vital not only for our own economic prosperity, but for maintaining flows of capital and investment to the UK and the wider global community. As the report acknowledges, convergence between privacy systems encourages economic and cultural growth.

As an offshore jurisdiction with our own government and legislative process (and being outside the EU/EEA), questions were focused around how to adapt and supplement the provisions of GDPR to suit the local environment. While GDPR is an ‘umbrella’ piece of legislation, its precise application in any given circumstance is often open to a wide range of interpretation, evidenced by the continuous stream of cases seeking clarification through the European Court of Justice (ECJ) and in the courts or tribunals of individual jurisdictions.

Our somewhat unique constitutional and geographic situation meant that additional provisions were required to meet the wider GDPR standards, while ensuring that the practical application of data protection law to trusts, foundations and investment and insurance structures was effective. While international transfers of data continue to evolve across the globe (and by way of example), we implemented an Addendum to the EU Standard Contractual Clauses (SCCs) in order to better reflect the legal status of our island.

The review process leading to the report was signposted by Article 97 of GDPR. The process was anticipated to be undertaken on a four-year cycle, yet the ECJ judgment in the Schrems II case impacted the process as a consequence of it clarifying certain elements of the ‘adequacy’ standard. The current iteration for 11 jurisdictions including Guernsey, Jersey and the Isle of Man having been only recently adopted in January 2024, and with other countries being interested in consideration for ‘adequacy’ status, it is unclear what the timetable for any further review might be. However, the report does note that ‘adequacy’ decisions are ‘living instruments’ and as such, it will in any case be important to maintain and adapt existing standards to meet changing global conditions.

Report methodology

The report builds on the ’adequacy’ decisions adopted previously, considering subsequent developments in the data protection frameworks of those jurisdictions and overlaying the requirements of GDPR, while also taking into account ECJ case law and the guidance of the European Data Protection Board (EDPB).

It is important to remember that the key wording is ‘essentially equivalent’ – the local framework does not have to be identical to that of the EU, rather the means of achieving an adequate level of protection can vary, provided they are effective. This is similar to the growth of more risk-based, outcomes-focused regulation that we have seen in the past decade. It is particularly important in jurisdictions such as Guernsey, where the size of the population, resourcing, legal history and nature of the economy means that a nuanced approach is required in order to make such legislation effective.

Given the issues highlighted in case law and the ECJ’s decisions in invalidating the Safe Harbor and Privacy Shield mechanisms, the report also looks at the protections in place surrounding access by public authorities and law enforcement, particularly in relation to access/processing for national security purposes.

The report also examines protections against public authority access, especially for national security, in light of ECJ decisions that invalidated Safe Harbor and Privacy Shield mechanisms. Clear rules around access, safeguards and effective redress mechanisms are all key requirements. The commission undertook a lengthy and intensive process of information gathering from local governments, law enforcement, regulatory authorities, publicly available materials and local experts to identify and understand the development of the regimes and their operation in practice. Consultation with relevant EU institutions and bodies was also undertaken, with affected jurisdictions being afforded the opportunity to validate the factual accuracy of the information provided. As such, while the process has been time and resource intensive, the outcome is robust.

Report findings

The introduction of the law is recognised as a significant and welcome development, modernising the pre-existing framework and bringing greater convergence with the European position. At its core, the risk-based approach is followed, dovetailing with the ‘essential equivalence’ requirements, as there is flexibility to achieve a workable outcome.

The definitions adopted largely mirror those under GDPR, with some limited local modifications. The definition of ‘special category data’ was expanded to include biometric and genetic data. Core areas such as the data protection principles (already present in Guernsey’s 2001 legislation) remain as foundations. The law is very much evolutionary, rather than revolutionary.

Individuals’ rights are at the heart of the legislation; additional rights (such as not being subject to a decision based on automated decision making) were introduced, recognising the advance of technology. In an age where interest in AI is at frenzy level, and with the EU’s AI Act being approved, this is an important future-proofing provision. Further, exercising those rights is facilitated - whereas previously an individual had to apply to court to exercise their right to rectification/erasure, the request is now directed to the controller, for example. In line with existing European law, such rights are not without limits. The exemptions set out in the law are reflective of those under GDPR, with some additional provisions arising from local law (such as that limiting the access to data held in the context of trusts), but they are similarly narrowly construed in order to be human rights compliant.

The territorial scope provisions were modified to follow those under Article 3 GDPR; while there continues to be debate as to the ‘reach’ of such provisions, it is nevertheless helpful to be able to consider ECJ case law in that context, particularly in an e-commerce context.

The process and requirements are very similar to those under GDPR, such that aside from the likely additional obligation to notify the ODPA, the similarities make what is undoubtedly a stressful process smoother for those seeking to understand their obligations across a number of jurisdictions, given the harmonisation.

The ODPA’s independence

The ODPA is praised for its outreach and development of guidance, though it is perhaps its degree of independence that is most important. Aside from a formal process for the appointment of its members and the commissioner, the funding model has moved to one based on fee income, a move away from government funding and thus any perceived lack of independence.

The introduction of a formal enforcement framework provides the ODPA with the tools to sanction where required, but also provides for forms of redress for individuals (via complaints, court proceedings, or judicial review of decisions of the ODPA).

International transfers are another area where the Guernsey position is expressly aligned, recognising as it does the EU SCCs, and other mechanisms such as BCRs, while also noting that for transfers authorised by the ODPA, consideration should be given to EDPB Opinions and Guidance, demonstrating further alignment.

A major international hurdle has been the varied approaches of different jurisdictions to government and law enforcement access to data and surveillance. The report outlines the mechanisms through which local authorities can access data, all of which have evolved in alignment with international standards such as the European Convention on Human Rights, Convention 108, and anti-money laundering and terrorism financing measures developed by the Financial Action Task Force (FATF) and the OECD.

The European Convention on Human Rights was extended to Guernsey in 1953 and similar obligations as arise under the EU’s Law Enforcement Directive apply in Guernsey. Restrictions on individuals’ rights are limited by a requirement for such to prejudice the relevant statutory purpose in order that reliance is placed on them. Actions taken in pursuit of such purposes have to be ‘necessary and proportionate in a democratic society’ and due consideration evidenced.

While the various aspects of enforcement access are governed separately (by the Police Powers and Criminal Evidence (Bailiwick of Guernsey) Law, 2003, the Regulation of Investigatory Powers (Bailiwick of Guernsey) Law, 2003 and the various pieces of AML legislation), the fundamental principles are the same.

Access for law enforcement, for surveillance or access to communications, or to investigate encrypted data are all subject to oversight either by procedural safeguards, statutory office holders’ approval or consideration by the judiciary. In all cases, there are checks and balances around the proportionality and necessity of the relevant steps and redress mechanisms provided for affected individuals.

In addition, the Regulatory Powers Commissioner is required to publish an annual report, highlighting any issues, in line with transparency and accountability principles. The majority of such matters are locally focused and involve assisting local law enforcement to investigate border, drug and financial crime issues. As such, there are procedural safeguards against potential abuse.

Conclusion

While the above does not address all of the report in detail, the theme is of alignment and convergence. This is perhaps unsurprising that given the strategic objective of achieving “essential equivalence”, and the societal and economic imperatives of meeting international standards.

The regulatory regime will continue to evolve in line with international standards, while safeguarding the island’s position in the marketplace, for both institutions and individuals. This endorsement is crucial for reinforcing Guernsey’s international relationships, providing assurance that other jurisdictions are meeting similar standards.